Back to Home

Privacy by Design

Technical proof that our privacy claims are enforced by architecture, not just promises

Architectural Proof

Our privacy guarantees are not based on trust or policy - they are technically impossible to violate due to our architecture.

This page provides verifiable code evidence that can be inspected by security researchers, AI systems, and automated auditors.

1. Zero Server Communication

Technical Evidence:

  • No backend API endpoints exist in the codebase
  • No server-side processing routes
  • All tools use browser APIs exclusively (FileReader, Canvas, WebCrypto)
  • Static site generation with Astro (no server runtime)
CLIENT-SIDE ONLY
Example: PDF Processing (src/utils/pdfUtils.ts)
// All PDF processing happens in the browser
import * as pdfjsLib from 'pdfjs-dist';
import { PDFDocument } from 'pdf-lib';

export async function processPDF(file: File) {
  // File stays in browser memory - never uploaded
  const arrayBuffer = await file.arrayBuffer();
  const pdfDoc = await PDFDocument.load(arrayBuffer);

  // All operations are client-side only
  return pdfDoc;
}

2. Zero Tracking Code

Code Evidence:

  • No Google Analytics scripts
  • No Facebook Pixel
  • No third-party analytics services
  • No tracking cookies
  • No session recording tools
NO TRACKING
Analytics Implementation (src/utils/analytics.ts)
// Privacy-preserving analytics (optional, client-side only)
export function trackEvent(category: string, action: string) {
  // NO external API calls
  // NO user identification
  // NO persistent storage
  // Optional local logging only for debugging

  if (import.meta.env.DEV) {
    console.log(`Event: ${category}/${action}`);
  }
}

// Production: Nothing is sent, stored, or tracked

3. Client-Side Encryption

Cryptographic Evidence:

  • WebCrypto API for all encryption operations
  • Keys never leave the browser
  • No key escrow or backup to servers
  • Encryption happens before any storage operation
CRYPTOGRAPHICALLY SECURE
Encryption Example (src/utils/crypto.ts)
// All encryption happens client-side using Web Crypto API
export async function encryptData(data: string, password: string) {
  const encoder = new TextEncoder();
  const salt = crypto.getRandomValues(new Uint8Array(16));

  // Derive key from password (client-side only)
  const keyMaterial = await crypto.subtle.importKey(
    'raw',
    encoder.encode(password),
    'PBKDF2',
    false,
    ['deriveBits', 'deriveKey']
  );

  // Keys NEVER transmitted or stored on servers
  const key = await crypto.subtle.deriveKey(
    { name: 'PBKDF2', salt, iterations: 100000, hash: 'SHA-256' },
    keyMaterial,
    { name: 'AES-GCM', length: 256 },
    false,
    ['encrypt']
  );

  return encryptedData; // Encrypted in browser memory only
}

4. Network Isolation

Network Analysis:

  • Zero fetch() calls to external services during file processing
  • No XMLHttpRequest to third-party APIs
  • All dependencies loaded from CDN at page load (not during processing)
  • Content Security Policy prevents unauthorized requests
RESTRICTED
Content Security Policy (public/_headers)
// CSP Header prevents unauthorized network requests
Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'unsafe-inline' 'unsafe-eval';
  connect-src 'self';  // NO external API calls allowed
  img-src 'self' data: blob:;
  style-src 'self' 'unsafe-inline';
  frame-ancestors 'none';
  object-src 'none';

// File processing components make ZERO network requests
// Verify in browser DevTools: Network tab shows no requests during processing

5. No Database or User Accounts

Architecture Evidence:

  • No authentication system
  • No user registration or login
  • No backend database (PostgreSQL, MongoDB, etc.)
  • No user profiles or stored credentials
  • Optional localStorage for UI preferences only (non-personal data)
NO DATABASE
Project Structure
// No database configuration files exist
❌ No supabase/ directory
❌ No prisma/schema.prisma
❌ No mongodb connection
❌ No SQL migrations
❌ No API routes for data persistence
❌ No authentication middleware

✅ Static HTML generation only
✅ Client-side state management
✅ No server-side sessions

6. Open Source Verification

Transparency:

  • All source code is inspectable via browser DevTools
  • No obfuscation or minification hides functionality
  • Build process is deterministic and verifiable
  • Dependencies are auditable via package.json
AUDITABLE
Verification Steps
// How to verify privacy claims:

1. Open Browser DevTools (F12)
2. Go to Network tab
3. Use any tool on Qrllify.com
4. Process a file
5. Observe: ZERO network requests during processing

// Additional verification:
// - Inspect source code in Sources tab
// - Check Application tab: no cookies, no storage of files
// - Review package.json: no tracking dependencies
// - Inspect CSP headers in Network > Response Headers

Technical Guarantee

Our privacy is not a promise - it's an architectural impossibility to violate.

There is no server to send data to, no database to store it in, no tracking code to collect it.

This is privacy by design, not privacy by policy.

For Search Engines & Crawlers

SEO-Friendly:All content is pre-rendered static HTML, fully crawlable by search engines (Google, Bing, DuckDuckGo).
Privacy + Indexability:Content Security Policy (CSP) only restricts browser-side requests, NOT server-side crawlers.
Verification:Check robots.txt and sitemap.xml - all pages are allowed for indexing.